Re: official recommendations of Ada

[hfrumblefoot@yahoo.com (Hambut)]

Hi,

It's been a dull evening tonight, so I thought I'd have a wade through
the stuff I've got to hand to see what I can find with respect to Ada
recommendations.  This may help - it might at least be a starting
point.

I've managed to find three broad categories of things:

1.  Recommendations to use Ada in safety related applications
2.  Links to articles which perhaps provide ammunition against the use
of C++.
3.  Some general safety links that you might find useful if your
company's about to embark on a safety related project.

1.  Recommendations to use Ada in safety related applications.
    ==========================================================

I've managed to find 3.5 concrete recommendations for the use of Ada
in safety related systems:
1.1  European Railway Safety Standard prEN50128
1.2  MISRA C Coding Guidelines
1.3  US DoD Joint Software System Safety Handbook (the half a recommendation)
1.4  A paper published in the early nineties

Interestingly neither DO178B (aviation software safety standard) nor
Defence Standard 00-55 (UK defence standard for the development of
safety related/ critical software) make recommendations as to language
choice.  Instead they define characteristics that the chosen language
should obey.  The characteristics defined by Defence Standard 00-55
pretty much boil down to a choice of SPARK Ada or SPARK Ada for the
highest integrity levels.

I believe that IEC61508 (you referred to it as 1508 in your initial
posting) has a similar table to prEN50128 - although I'd need to chase
it up to be absolutely sure (so all you standards junkies don't shoot
me down in flames just yet).

Final point to note is that there is a very useful document being
produced by an ISO committee (The Annex H Rapporteur(sp?) Group)
called "Programming Languages - Guide for the Use of the Ada
Programming Language in High Integrity Systems".  I can't find a link
to a downloadable copy immediately.  Perhaps another reader can help?

1.1  European Railway Standard prEN50128

Table A.15 of CENELEC prEN50128 lists Ada as being "highly recommended" for Safety
Integrity Levels 1 and 2, and "recommended" for Safety Integrity
Levels 3 and 4.

The same table lists unrestricted C or C++ as "not recommended" for
safety integrity levels 3 and 4, and makes no recommendation for
safety integrity levels 1 and 2.

However it also lists "A subset of C or C++" as "recommended" for
safety integrity levels 1 to 4.

Interestingly it doesn't mention a safe subset of Ada in the table.  However it
does say, in a note, "At Software Safety Integrity Level 3 and 4 when a subset of
languages 1,2,3 and 4 are used the recommendation changes to HR" HR is
the code for highly recommended.  Ada is language 1.  So when a
suitable subset of Ada is used the recommendation is "highly recommended".

This is from "Railway applications - Software for railway control and protection
systems", prEN 50128.  Possibly available from www.cenelec.org.

1.2  MISRA C Coding Guidelines

"Examples of languages generally recognised to be more suitable than C
[for safety related software] are Ada and Modula-2.  If such languages
could be available for a proposed system then their use should be
seriously considered in preference to C."

Document at:
o  http://www.misra.org.uk/graphics/miscprev.pdf

1.3  US DoD Software Safety Handbook

"The Ada programming language provides considerable support for
preventing many causes of unpredictable behaviour allowed in other
languages.  For example,...., implicit constraint checks prevent the
classic "C" programming bug of writing a value into the 11th element
of a 10-element array." 

This is from "Software System Safety Handbook - A technical and Managerial Team
Approach", Joint Software System Safety Committee, December 1999.

Available from http://www.nswc.navy.mil/safety/joint_software_system_safety_han.htm

1.4  The choice of computer languages for use in safety-critical systems

A paper published in the early nineties, which looked at a number of
attributes that the authors thought were important for 'safe'
software, has this to say about the subject:

"The languages that design teams should consider as candidates for use
in high integrity systems are, according to the assessments in this
paper, and in descending order of merit

o  ISO Pascal subsets supported by validation tools (e.g. SPADE
Pascal);
o  an Ada sub-language, when available;
o  a Modula-2 sub-language when available;
o  a CORAL 66 subset."

"If analysis of the hazards suggests that the risks are comparatively
low, the second group of languages that may be considered includes, in
no particular order

o  structured assembly languages;
o  DoD Ada, with minimal restrictions;
o  ISO Pascal, with minimal restrictions;
o  Modula-2, with minimal restrictions."

"Based on the assessments in this paper, the use of the following
languages is to be deprecated when safety is an issue

o  unrestricted use of assembly languages;
o  C (despite its many adherants)
o  unrestricted use of CORAL 66"

This is from "The choice of computer languages for use in safety-critical systems",
W.J.Cullyer, S.J. Goodenough and B.A. Wichmann, Software Engineering
Journal, March 1991.

I believe this study is also quoted in Neil Storey's "Safety Critical
Computer Systems" book.


2.  Links to articles which provide ammunition against the use of C++.
    =================================================================

There are two main links;

For a critical view of C++, which may provide useful reasons why it
should not be used in a safety related/ critical project look at the
Joyner paper, "A Critique of C++ and Programming and Language Trends of
the 1990s" available at:

    http://www.progsoc.uts.edu.au/~geldridg/cpp/cppcv3.html

And for a debate, which includes submissions by a number of respected
safety people about the use of C++ in developing safety related
software take a look at:

    http://www.cs.york.ac.uk/hise/sclist/cplussafety.html


3.  Some General Safety Links You Might Find Useful
    ===============================================

In fact there's one, which is a good starting point for links to lots
of other sites interested in software safety:

    http://www.afm.sbu.ac.uk/safety/


Hope this helps.

Cheers,

Hambut